I’ve discovered the VT “secpod_wordpress_detect_900182.nasl” generates a false positive (OID: 1.3.6.1.4.1.25623.1.0.805366) when wp-content is used on a page.
The wordpress detect script tries to determine if WordPress is used on a host and assigns “cpe:/a:wordpress:wordpress”.
I have a customer which uses N-Able. Running the VT will assign the WordPress CPE to this host, because of the following code on the webpage of N-Able:
<!DOCTYPE html public "-//w3c//dtd html 4.01//en" "http://www.w3.org/tr/html4/strict.dtd">
<html>
<head>
<meta charset="UTF-8" />
<script>
window.location.replace("/login");
</script>
<title>N-central Login Redirect</title>
</head>
<body>
<script>
window.onload = function reloadLoginPage() {
var loginPage = window.location.protocol + "/login";
location.replace(loginPage);
}
</script>
<img src='https://www.n-able.com/wp-content/themes/nable.2021/img/framework/nable.positive.svg' alt='N-able'>
<div>Your web browser did not automatically redirect you to N-central's login page. To address this issue, please enable JavaScript in your web browser for N-central's URL and reload this page.
</div>
<div><a href='/login'>Alternatively, you can click here to log into N-central.</a>
</div>
</body>
</html>
I suspect the following pagecode is triggering the following VT:
<img src='https://www.n-able.com/wp-content/themes/nable.2021/img/framework/nable.positive.svg' alt='N-able'>
if( res && res =~ "^HTTP/1\.[01] 200" &&
( '<meta name="generator" content="WordPress' >< res ||
res =~ "/wp-content/(plugins|themes|uploads)/" ||
res =~ "/wp-includes/(wlwmanifest|js/)"
)
) {
if( dir == "" ) rootInstalled = TRUE;
version = "unknown";
conclUrl = http_report_vuln_url( port:port, url:url, url_only:TRUE );
While the N-Able pages uses a .svg image with “wp-content” in it’s URL, it doesn’t mean this host has WordPress installed. It’s not unreasonable other sites have an img src with “wp-content” in it’s url.
This check should be rewritten to prevent false positives. I am still looking into this and will try to edit the VT but any validation or help is welcome. Thank you.